Issue collector not matching submitter user's session to make them issue reporter
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Summary
When a logged in user tries to raise a ticket through Issue Collector, it's user session is no longer matched, which means the user needs to enter their email address while reporting feedback (corresponding to the case when a user is submitting feedback anonymously).
This is working as designed. This behaviour got changed in order to accommodate stricter SameSite cookie policy that got implemented in Chrome 80. Read on below for more details.
Environment
This behaviour started to appear in one of the following or higher Jira versions: 8.7.0, 8.5.4, 8.6.2, 7.13.13.
Diagnosis
Log in to Jira
Utilize Issue Collector functionality to raise feedback in Jira
The Issue Collector asking for email address to match Reporter field, although the user is already logged in
Cause
Recently, Chrome added new cookie policy to versions 80 and higher, related to SameSite cookie settings. These changes are getting simultaneously added to other browsers, as well - all of that with purpose of improving security and avoiding Cross-Site Request Forgery attacks. More about these changes can be found on these external resource: Developers: Get Ready for New SameSite=None; Secure Cookie Settings. Moreover, these changes are getting implemented as a part of an IETF recommendation, and are getting adopted as an industry standard.
Implementing SameSite cookie controls would break Issue Collector functionality for collectors that appear on separate domains - this got addressed in scope of the following bug ticket: JRASERVER-70494 - Issue Collectors won't work for clients using Chrome 80 which enables new samesite cookie controls
Part of the solution of making Issue Collectors work for Chrome 80+ users, is to drop the XSRF token check. However this is check was utilised by a certain Jira Issue Collector functionality: a particular Issue collector could be configured in such a way that a reporter of the newly created issue could be matched with the currently logged-in user.
Since Issue Collector cannot provide that functionality without XSRF token check, a trade-off has been made and this feature was removed. Issue Collector no longer uses the logged-in user session for its logic, so it is no longer possible to match the session and set the logged-in user as reporter.
This means users will need to enter their email address in the Issue Collector form.
Jira Software 8.5.4 Upgrade notes describes how the Issue Collector behaviour got changed, in order to avoid the impact of the new SameSite policy:
The upcoming update of the Chrome browser introduces new cookie security features, which would essentially break the issue collectors embedded on separate domains. We’ve fixed this problem, but this brought some changes to how issue collectors work:
You can no longer match the submitter’s user session to make them the issue reporter. You can still match them by using their email address.
You don’t have to enable 3rd party cookies to make the issue collector work. We’ve removed this requirement, also dropping some error messages that reminded about it.
The project and issue key will no longer be displayed in the success message after submitting feedback (unless the project is open to Anyone on the web). We did this to improve security by not disclosing information about projects and issues.
Solution
This behaviour is working as designed, as per the explanation above.
Stricter SameSite policy is getting adopted with the purpose of improving user security. Therefore, these modifications to Issue Collector functionality were done in order to make sure it can work properly, while adhering to the SameSite cookie controls in browser.
ℹ️ Please vote for the following feature request if you would like the removed functionality back in Jira: JRASERVER-71186 - Revert functionality to match user session to Reporter field when providing feedback through Issue Collector Edit Add comment.
Other Notes
References for further reading:
Was this helpful?